Re: [Samba] ADS question
Hi, > [public] > comment = Backup Verzeichnis > path = /mnt/backup > admin users = DOMAIN+Administrator, root > valid users = DOMAIN+Administrator, root > > The administrator of my Windows domain now should be able > to access the "public" share. But when I try to access the > box I am asked for a username and a password. > > I found, that getent passwd and group does not list the > domain users and groups, just my local users and groups > >from /etc/passwd and /etc/groups. After some more searching, I tuned the loglevel up to 10 and found these entries in winbindd.log: [2005/03/09 15:37:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(764) Kinit failed: Preauthentication failed [2005/03/09 15:38:12, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'marcus' does not exist [2005/03/09 15:38:28, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'root' does not exist [2005/03/09 15:40:00, 1] nsswitch/winbindd_group.c:winbindd_getgroups(1032) user 'root' does not exist [2005/03/09 15:42:00, 0] libsmb/cliconnect.c:cli_session_setup_spnego(764) Kinit failed: Preauthentication failed kinit failed? I can use wbinfo -[sgu] even from the local user "marcus" and get positive info from it, why not when invoked from the server? I can mail the smbd log for the machine I am trying to connect to the server. But the output is huge (41k) and I would not like to post it directly to the list :) Any suggestions? I would be happy for every hint. Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] ADS question
Am Mittwoch, den 09.03.2005, 08:43 +0100 schrieb Marcus Franke: > Greetings, > > I managed to join my samba server into my ActiveDirectory domain. > > wbinfo -g or -u shows the groups and users in my Windows domain. > > But how do I use it for granting or denying access to my shares? > Ok, did some further investigations and found the following: [public] comment = Backup Verzeichnis path = /mnt/backup admin users = DOMAIN+Administrator, root valid users = DOMAIN+Administrator, root The administrator of my Windows domain now should be able to access the "public" share. But when I try to access the box I am asked for a username and a password. I found, that getent passwd and group does not list the domain users and groups, just my local users and groups from /etc/passwd and /etc/groups. Am I doing something completely wrong? I used the doc from: http://us2.samba.org/samba/docs/man/Samba-Guide/unixclients.html#ch9-adssdm Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] ADS question
Greetings, I managed to join my samba server into my ActiveDirectory domain. wbinfo -g or -u shows the groups and users in my Windows domain. But how do I use it for granting or denying access to my shares? Marcus -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: AW: [Samba] Domain logon against a Windows Server 2003 based AD
Hi,
> Jul 13 11:06:56 linux winbindd[20394]: [2004/07/13 11:06:56, 0]
> libsmb/cliconnect.c:cli_session_setup_spnego(724)
> Jul 13 11:06:56 linux winbindd[20394]: Kinit failed: Cannot find KDC
for
> requested realm
I did some further investigations into this direction and found
some possible misconfiguration in the krb5-workstation/server
package config.
my /etc/krb5.conf looks like this (looks good for my eyes):
Interesting is, there are no logfiles in /var/log/kerberos
Tought about touching them, but I don't know which rights
and set of user.group for the files, so I did not do it.
[logging]
default = FILE:/var/log/kerberos/krb5libs.log
kdc = FILE:/var/log/kerberos/krb5kdc.log
admin_server = FILE:/var/log/kerberos/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = IDEALTEC.LOCAL
default_tgs_enctypes = des-cbc-md5
default_tkt_enctypes = des-cbc-md5
permitted_enctypes = des3-hmac-sha1 des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
kdc_req_checksum_type = 2
checksum_type = 2
ccache_type = 1
forwardable = true
proxiable = true
[realms]
IDEALTEC.LOCAL = {
kdc = dc-hh-001.idealtec.local:88
admin_server = dc-hh-001.idealtec.local:749
default_domain = idealtec.local
}
These parameters seem to be right, because in my dns zone there
is a _kerberos._tcp.dc._msdcs.idealtec.local entry pointing to
port 88. kdc is avail and working, as my two windows test clients
can use the domain with no problem :(
but, admin_server isnt quite clear to me, what does it mean?
[domain_realm]
.idealtec.local = IDEALTEC.LOCAL
[kdc]
profile = /etc/kerberos/krb5kdc/kdc.conf
in this file, there was a small error, as there was
still MANDRAKESOFT.COM as default domain, but I changed
this to the correct value, but no change..
[pam]
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[login]
krb4_convert = false
krb4_get_tickets = false
Bye,
Marcus
--
pedo mellon a minno
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
Re: AW: [Samba] Domain logon against a Windows Server 2003 based AD
> hi, > did you joined your samba-server to the W2K Domain? > yes, more than once, do I need to do more cleanups than deleting the computer account in ads? > > Jul 12 16:56:22 linux winbindd[2410]: [2004/07/12 16:56:22, 0] > > nsswitch/winbindd_util.c:get_trust_pw(951) > > Jul 12 16:56:22 linux winbindd[2410]: get_trust_pw: could not fetch > > trust account password for my domain IDEALTEC.LOCAL > > Jul 12 16:56:22 linux pam_winbind[3610]: request failed: > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was > > NT_STATUS_CANT_ACCESS_DOMAIN_INFO > this doesn?t look like you did it... did it, and now I get other error codes, as there was a possible mistake in the row with the realm directive. I did remove the .nf in front of realm, as I found an error message about realm in the messages log. And now I get other error messages, that look better/other :) > > and i hope that > password server = * > means that you only removed the name for that posting... no, this was unchanged from the configuration drakauth did. I can change this to the server, as my test installation only has one, but I did understand the directive to support several servers when you insert the star. I guessed it would look inside the DNS service for the _msdcs zone, where all those services entries for the ads are being stored. The slightly new errors, after restarting the DC, changed the group membership of "Everyone" to "Pre-Windows 2000 Compatible Access", and restarting smbd, nmbd, and winbind is: Jul 13 11:06:56 linux winbindd[20394]: [2004/07/13 11:06:56, 0] libsmb/cliconnect.c:cli_session_setup_spnego(724) Jul 13 11:06:56 linux winbindd[20394]: Kinit failed: Cannot find KDC for requested realm Jul 13 11:06:56 linux pam_winbind[2634]: request failed: No trusted SAM account, PAM error was 4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Jul 13 11:06:56 linux pam_winbind[2634]: internal module error (retval = 4, user = `franke' Jul 13 11:06:56 linux login(pam_unix)[2634]: check pass; user unknown Jul 13 11:06:56 linux login(pam_unix)[2634]: authentication failure; logname= uid=0 euid=0 tty=vc/6 ruser= rhost= Jul 13 11:06:56 linux login(pam_unix)[2634]: check pass; user unknown Jul 13 11:06:59 linux winbindd[20394]: [2004/07/13 11:06:59, 0] libsmb/cliconnect.c:cli_session_setup_spnego(724) Jul 13 11:06:59 linux winbindd[20394]: Kinit failed: Cannot find KDC for requested realm Jul 13 11:06:59 linux pam_winbind[2634]: request failed: No trusted SAM account, PAM error was 4, NT error was NT_STATUS_NO_TRUST_SAM_ACCOUNT Jul 13 11:06:59 linux pam_winbind[2634]: internal module error (retval = 4, user = `franke' Jul 13 11:07:01 linux login[2634]: FAILED LOGIN 1 FROM (null) FOR franke, Authentication failure Marcus -- pedo mellon a minno -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Domain logon against a Windows Server 2003 based AD
Hi, I'm trying to configure my Mandrake V10 box to do user authentication against an ActiveDirectory domain hostet on Windows Server 2003. And guess what, I have some problems :) I used drakauth (similar to authconfig on RedHat) to configure the authentication against a windows domain. I was asked some questions concerning domain, domain controller, administrator account and password.. drakauth configured my smb.conf the following way: [global] workgroup = IDEALTEC.LOCAL server string = Samba Server %v security = domain encrypt passwords = Yes password server = * log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 character set = ISO8859-15 os level = 18 local master = No dns proxy = No winbind uid = 1-2 winbind gid = 1-2 winbind separator = + template homedir = /home/%D/%U template shell = /bin/bash winbind use default domain = yes But after a net join, I get the following errors, when I try to logon a domain user on my linux box: Jul 12 16:56:22 linux kde3(pam_unix)[3610]: auth could not identify password for [marcus] Jul 12 16:56:22 linux winbindd[2410]: [2004/07/12 16:56:22, 0] nsswitch/winbindd_util.c:get_trust_pw(951) Jul 12 16:56:22 linux winbindd[2410]: get_trust_pw: could not fetch trust account password for my domain IDEALTEC.LOCAL Jul 12 16:56:22 linux pam_winbind[3610]: request failed: NT_STATUS_CANT_ACCESS_DOMAIN_INFO, PAM error was 4, NT error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO Jul 12 16:56:22 linux pam_winbind[3610]: internal module error (retval = 4, user = `marcus' I even modified in the ActiveDirectory the SecurityPrincipal "Everyone" to be a member of the "pre-windows 2000 authentication" group, don't know if the name is right, as I have a german version of Windows :) Last things I modified on my linux box was to change the security = domain to security = ads, as the net join gave me some hints that it could not find the ads realm and had to use RPC for interaction with my domain. According to the man-page I set the following lines: security = ads .nf realm = dc-hh-001.idealtec.local name resolution works, I have checked this, as I know how critical DNS is for ActiveDirectory based domains. Im currently working my way down the Samba-Howto-Collection Chapter 20: Use of Domain Accounts, but currently Im somewhat puzzled, need to get some ground under my feet.. Bye, Marcus -- pedo mellon a minno -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Workgroup shows up, but not the computer
Marcus Franke wrote: Hi, I can't really be of much help except to say "me too". There have been 4 or 5 users (including) myself post regarding similar problems over the past 2 months or so in both workgroup and domain configurations, as far as I'm aware none have yet resolved the problem. maybe NBT support on the client side is disabled? If you accidently disabled support for NetBIOS protocol then the network neighborhood will stay empty as this feature fully relies on NBT Argh, one should read his own postings before pressing the send button. If NBT is disabled you wouldn't even see the workgroup :) But name resolution in a netbios based scenario isn't the most reliable process.. Try to activate WINS and make your clients use the WINS server, this could help Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Windows XP and domain logon
Honey Bajaj wrote: Sascha, I am a bit new to samba and wins, can you explain in a bit detail, and one thing I would like to know is it necessary to have DNS server to have windows xp logon to domain. If one has a Win2k, Win2k3 AD based domain then you MUST HAVE a working DNS for your domain controllers, as the client finds the logon services and the domain controllers with the helf of the DNS service. The entries in the DNS you are looking for are the SRV entries. Especially _gc, _ldap, and _kerberos for the logon process. Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Workgroup shows up, but not the computer
Hi, I can't really be of much help except to say "me too". There have been 4 or 5 users (including) myself post regarding similar problems over the past 2 months or so in both workgroup and domain configurations, as far as I'm aware none have yet resolved the problem. maybe NBT support on the client side is disabled? If you accidently disabled support for NetBIOS protocol then the network neighborhood will stay empty as this feature fully relies on NBT Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Winbind to more than one Domain [HELP]
Herman (ISTD) wrote: Dear all, Anybody can help me ? I want my samba box to be able to join two different domain and authenticate to those different domains using Winbind. Those two AD domains, do they form a single forest? If yes, then you should be able to authentificate the users from each domain regardless which dc you use. Marcus -Original Message- From: Herman (ISTD) [mailto:[EMAIL PROTECTED] Sent: 04 Juni 2004 16:41 To: [EMAIL PROTECTED] Subject: [Samba] Winbind to more than one Domain Dear all, I am using Winbind for my squid box authentication. The problem is that my squid users are distributed in two different Windows Domain (AD), do anyone know to enable Winbind authenticating with two different domains ? Thank you very much. Regards, herman -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Mounting a windows 2003 share
reacend wrote: Hi I want to mount the a share of a windows 2003 Domain Controler, but I'm not been able... Does any body knew a solution for that problem? Windows Server 2003 has per default activated the smb signing feature. Maybe this could cause you some problems. To turn of the feature look at the local security policy for a GPE like Microsoft Network (Server) Communication digitaly sign (always) - Activated Sorry for my crude translation of the GPE but I only have a german edition of the server and maybe "Microsoft Netzwerk (Server) Kommunikation digital signieren (immer) - Aktiviert" would not help you much :) Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] crypted communication
Hello, I have the following infrastructure: linux box with samba and lots of windows clients ranging from win98, nt4, w2k to xp. I'd like to secure the communication between the clients and the server. What can I use to achieve this? Is it possible to use some ssl encryption? I thought about using IPsec, but thats a problem for the nt4 and win9x clients. Marcus -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
